Answered by:

Need Help Understanding Required Permissions Root of Drive

Question

We attached a drive from a Windows XP computer to a Windows 8.1 computer. The drive shows up, but logged in as local administrator on the Windows 8.1 box we are not able to view the root. The permissions on the partition of that new device
were set to give SYSTEM and Administrators group Full Access.

It looks to me like when you start File Explorer while logged in as a local administrator, that it starts up in some restrictive mode, treating you in effect like a standard user? The only way I was able to get access to the partition was to first
force the local admin as the owner, and then to modify the root permissions to include the local admin userid explicitly.

By default in Windows 8.1, it will give "Authenticated Users" the ability to Modify existing files. That seems like a very permissive setting and we would like to be more restrictive without making the system unusable. Without having
to hardcode in the name of the local admin, how can we restructure these default settings to give local admin Full Access to the device. That question has two parts:

1) Is there any way to elevate File Explorer to be in an administrative mode so that it acts in the context of local administrator? That would allow it to respect file permissions that gives local "Administrators" group access to a resource.

2) In general, what processes / applications are going to start failing if you remove "Authenticated Users" as having access to a drive. I guess File Explorer is an important one. I could substitute a different vendor's file explorer
and run it as Administrator as a worst case.

The security here is balancing a lot of different issues, and it is cumbersome to work with it.

Answers

Applications normally run with the level of access granted in a standard user access token, even if the applications are started by a user that is a member of the local Administrators group.

Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. Generally, we use the Authenticated Users group instead
of the Everyone group to prevent anonymous access to a resource.